Apple - How to fix curl: (60) SSL certificate: Invalid certificate chain when using sudo
f you store your CA certificates on the filesystem (in PEM format) you can tell curl to use them with
sudo curl --cacert /path/to/cacert.pem ...
You can also turn off the certificate verification with
sudo curl --insecure ...
Edit: Updated with regard to feedback
If you want to set this permanently, you should create a .curlrc
files and place in your home directory. sudo
commands may need this file in /var/root
The file takes the same options as the command line but without the dashes. One option per line:
cacert=/path/to/my/certs.pem
Root doesn't read from the current user trust settings, but there are both an admin trust settings and root-user-specific trust settings. (These are also distinct from the system trust settings.) Note, also, that certificate trust settings are somewhat distinct from just adding a certificate to a keychain; you can mark a cert as trusted without fully adding it. (The exact situation here is not clear to me, and the docs I've seen are vague.)
You can mark a cert as trusted for your current user as
$ security add-trusted-cert /path/to/cert.pem
but that doesn't help with root. The solution, as you might now guess, is either to sudo
the above, which then marks it as trusted for the root user specifically:
$ sudo security add-trusted-cert /path/to/cert.pem
or to use the -d
flag to add it to the admin trust settings:
$ security add-trusted-cert -d /path/to/cert.pem
(OS X will pop up a password dialog to confirm this one.)
Either of the latter two seems to be sufficient for sudo curl
.
Reference: https://developer.apple.com/library/mac/Documentation/Darwin/Reference/ManPages/man1/security.1.html
This is really in the output hint:
echo insecure >> ~/.curlrc
Advantage of using above solution is that it works for all curl
commands, but it is not recommended since it may introduce MITM attacks by connecting to insecure and untrusted hosts.